PKI\CA Certificate Authority
PKI\rejected The Certificate store contains certificates that have been rejected.
PKI\rejected\certs Contains the X.509 v3 Certificates which have been rejected.
PKI\trusted The Certificate store contains trusted Certificates.
PKI\trusted\certs Contains the X.509 v3 Certificates that are trusted.
PKI\trusted\crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
PKI\issuers The Certificate store contains the CA Certificates needed for validation.
PKI\issuers\certs Contains the X.509 v3 Certificates that are needed for validation.
PKI\issuers\crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
Note: see https://reference.opcfoundation.org/GDS/docs/F.1/
| command | Help |
|---|---|
| demo | create default certificate for node-opcua demos |
| createCA | create a Certificate Authority |
| createPKI | create a Public Key Infrastructure |
| certificate | create a new certificate |
| revoke | revoke an existing certificate |
| dump | display a certificate |
| toder | convert a certificate to a DER format |
| fingerprint | print the certificate fingerprint |
Options: --help display help
| default value | ||
|---|---|---|
--subject |
the CA certificate subject | "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA" |
--root, -r |
the location of the Certificate folder | "{CWD}/certificates" |
--CAFolder, -c |
the location of the Certificate Authority folder | "{root}/CA"] |
--keySize, -k, --keyLength |
the private key size in bits (1024 | 2048 ,3072, 4096 ,2048 |
this command create a bunch of certificates with various characteristics for demo and testing purposes.
crypto_create_CA demo [--dev] [--silent] [--clean]
Options:
| --help | display help | |
| --dev | create all sort of fancy certificates for dev testing purposes | |
| --clean | Purge existing directory [use with care!] | |
| --silent, -s | minimize output | |
| --root, -r | the location of the Certificate folder | {CWD}/certificates |
Example:
$crypto_create_CA demo --dev
$crypto_create_CA certificate --help
Options:
| --help | display help | |
| --applicationUri, -a | the application URI | urn:{hostname}:Node-OPCUA-Server |
| --output, -o | the name of the generated certificate | my_certificate.pem |
| --selfSigned, -s | if true, the certificate will be self-signed | false |
| --validity, -v | the certificate validity in days | |
| --silent, -s | minimize output | |
| --root, -r | the location of the Certificate folder | {CWD}/certificates |
| --CAFolder, -c | the location of the Certificate Authority folder | {root}/CA |
| --PKIFolder, -p | the location of the Public Key Infrastructure | {root}/PKI |
| --privateKey, -p | optional:the private key to use to generate certificate | |
| --subject | the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello ) |
- https://www.entrust.com/wp-content/uploads/2013/05/pathvalidation_wp.pdf
- https://en.wikipedia.org/wiki/Certification_path_validation_algorithm
- https://tools.ietf.org/html/rfc5280
This modules requires OpenSSL or LibreSSL to be installed.
On Windows, a version of OpenSSL is automatically downloaded and installed at run time, if not present. You will need a internet connection open.
You need to install it on Linux, (or in your docker image), or on MacOS
- on ubuntu/debian:
apt install openssl
or alpine:
apk add openssl
- do not upgrade update-notifier above 4.x.x until nodejs 8 is required
NodeOPCUA PKI is developed and maintained by sterfive.com.
To get professional support, consider subscribing to the node-opcua membership community:
or contact sterfive for dedicated consulting and more advanced support.
If you like node-opcua-pki and if you are relying on it in one of your projects, please consider becoming a backer and sponsoring us, this will help us to maintain a high-quality stack and constant evolution of this module.
If your company would like to participate and influence the development of future versions of node-opcua please contact sterfive.